1

Schlumberger PKI /Corporate Badge Deployment

Neville PattinsonDirector of Business Development & TechnologyIT & Public Sector

2

• Background• Overview of the PKI and Corporate Badge components• Applications• Deployment Status• Next Steps• Lessons Learned

Overview

3

Schlumberger. . . built on global technical services leadership

•Two Divisions:

•Oilfield Services

•SchlumbergerSema

•80,000 employees

•140 Countries

4

IT security: the business case

IT Security represents a huge opportunity to enhance SLB image as secure information provider and provide new ways of leveraging our services. IT Security poorly executed has the potential to destroy our business reputation. Two main priorities:

– Ensure the privacy and integrity of our client’s and our own systems and data.

– IT system availability is critical to our business.

5

IT security: facts

• Decentralized management needs to be responsible for the performance of a highly centralized IT Security system.

• SLB knowledge is a significant competitive advantage and needs to be protected

• People and process are more critical to IT Security than technology

• World Class as compared to “Silicon Valley” companies not traditional Oilfield competitors

6

A Corporate Badge?

• Passwords are expensive and provide poor security• Many different standards increase management complexity and help

desk support costs• Increasing network fraud, poor security around transactions and

messaging• Hard drive based security can be improved

=>One single ID card for both secure =>One single ID card for both secure physical and logicalphysical and logical access and access and providing providing portabilityportability and and nonnon--repudiationrepudiation..

7

Corporate Badge Solution(Dexa.Badge)

• Authentication• Authorization• Non-repudiation• Integrity• Confidentiality

• Global physical access

• Corporate ID

• Global PKI plus Smart Card

• Secure network logon and web access

• Signed/encrypted email and docs

• Smart Login (Secure password store)

• Card-based VPN

• Secure Dial-Up Access

• DoD CAC platform

8

PKI Corporate Badge Overview

Production CA + Firewall

Service Management Center Houston

Test CA LDAPDirectory

Service Management Center

Off-site Tape Storage

Tape Backup

Card IssuanceSystem

Master Users and PKI Support Team

Remedy EventTracking System

High Security CA Room

Registration Authority

Card and User ManagementService

End Userwith:•Standard PC

Regional Operations

Local Service Desk

Card Perso Service Desk

User Site

SSO or LRA

Aus ti n

Jero me De ni sAusti n Pro duc t Center

9

Card Issuance System

• Distributed issuing is essential for a ID Badge roll out– Web-based system for card issuance– Physical card issuance (card-user binding)– Central database for card history– Directory Interface

• Printing Stations (25)– Admin client– Camera– Printer

10

Card Management System• Essential for a smart card roll out

– Web-based system to address card related issues– Logical card issuance (initial PIN set up)– Issues applications such as PKI, SLB GINA, Smart Login– Automatic certificate request and load

• Runtime (Smart Card related)– PIN management with policy support– Unblocking

• Lifecycle– Lost card, Temporary card– Not tied to the Certificate Authority

11

PC Client Architecture

ReflexReader

Smart Card Middleware – Schlumberger SCUK

Credential StoreSmart Login

Card Management SystemCMS

PKI Client Suite – Entrust Entelligence

VP

N C

heck

Poi

nt

File/Folder Encryption

E-mail, FormsEncrypt/signWeb

Sec

ure

Dia

l-up

Acc

ess

Thin

Clie

nt A

uthe

ntic

atio

n

Sec

ure

PC

&N

etw

ork

Logi

n

12

Certificate CreationProcess

REGISTRATIONAUTHORITY (RA)

enab

les

Sends one time co

des (partia

l)

Encrypted

Identifies user

Request certifica tes

Sign

s

Subscriber agreement

files

Creates profile

Publishes

CIS

Request card

Site Security Officer

CACA

Gives the codes + (card)

LDAPLDAP

USER

13

Application: Virtual Private Networking

InternetInternet

Remote SLB user

Central OfficeEncryption Gateway

SVPN

Remote OfficeEncryption Gateway

Customer OfficeEncryption Gateway

SLB people

Contractor

CustomerEncryption Gateway

14

Application: Secure Dial-up Access

• Provides Smart Card based PKI authentication via dial-up connection• Secure Communication between Network Access Point (NAS) and

RADIUS• Uses industry standards to facilitate transition from existing methods• Performs Certificate Revocation List (CRL)

checking

15

ApplicationServers

PolicyServer

Authorization

Authentication

PublicKey Infrastructure

Username PasswordPIN & Digital Certificate

Application: Secure Web Access

EncryptionSSL 40 or 128 Bit

WebServers

Confidentiality

Integrity

Non Repudiation

Digital Signature

Digital Signature

16

• What to do while not all users of an application are deployed with PKI ?• Information Security Policy is key to guide efforts and spending• Transition Rules are required..• Some applications are difficult/costly to upgrade• Budget Allocation Issues – who pays for what ?

– Infrastructure, cards, applications, physical access,…

General PKI Application Issues

17

Physical Access Control

• One badge to access any facility or building worldwide– Mifare contactless technology– Compatible with most Physical Access Control vendors– Global “roaming”– Card issuance System plays a key role

• Today almost 100 facilities support the technology• Capital Intensive – you cannot replace everything• Globalization of the solution in progress

18

• About 35,000 Cyberflex Access cards issued• 21,000 + Active certificates • Users in 300+ locations worldwide• Target is between 25,000 and 30,000 PKI users by year end • 30 pki enabled web applications by end of July, 80 by EOY• 4,000 + VPN Users• Daily encrypted e-mail to top 1000 managers

Schlumberger Deployment Status

19

• PKI Corporate Badge is a “Living System”• Our IT Environment Evolves…

– Example: Windows 2000 Integration (Active Directory)• Optimize the registration processes• Focus on ease of use…• Continue Integration in Business Applications

– Secure offline content delivery– Electronic Signatures

• Moving towards Single Sign On

What is Next ?

20

• A PKI/Corporate Badge solution is a multi-year project which requires strong top Management Support

• Deploying PKI and Corporate Badge requires a thorough understanding of the business IT and platform strategy.

– Directory, PC platform, Operating Systems, e-mail– Networking

• Logistics are important !• Training, Training, Training…

Lessons Learned

21

Schlumberger PKI /Corporate Badge Deployment

Thank You

Neville.Pattinson@slb.com

Austin

Neville PattinsonAustin Technical Center